Introduction
1. a) What is a pass/deny decision?
When the firewall receives a packet, it must decide whether to pass the packet or drop it.
b) What type of packet does a firewall drop and log?
Firewalls will drop and log a provable attack packet.
c) What does the firewall do about packets that it suspects (but cannot prove) are attack packets?
It will pass the packet because it’s not a provable attack packet.
d) Why does the firewall log information about dropped packets?
To keep a record of it for later analysis.
e) Distinguish between border firewalls and internal firewalls.
Border firewalls sit at the boundary between the corporate site and the external Internet. Internal firewalls filter traffic passing between different parts of the site’s internal network.
f) Distinguish between ingress and egress filtering.
In ingress filtering, the firewall examines packets entering the network from the outside, typically from the Internet. The purpose of ingress filtering is to stop attack packets from entering the firm’s internal network.
In egress filtering, in turn, the firewall filters packets when they are leaving the network. This prevents replies to probe packets from leaving the network.
The Danger of Traffic Overload
2. a) What does a firewall do if it cannot keep up with the traffic volume?
It will drop all the packets it cannot process.
b) Why is this action good?
This action is good because the firewall will drop all packets not examined, not allowing unexamined attack packets into the network.
c) Why is this action bad?
This action is bad because valid, non-attack packets will be dropped and effectively create a self-generated DoS attack.
d) Why can a firewall keep up with traffic in general but fail to do so during a major attack?
Firewalls are only able to filter traffic at wire speed which is the maximum speed of the lines that connect to it.
e) As processing power increases in the future, what will this mean for firewall filtering?
It means that firewalls will be able to do ever more sophisticated processing.
f) What is unified threat management (UTM)?
Unified threat management (UTM) consists of a firewall handling all traditional firewall functions (SPI, ACLs, etc.) as well as additional security functions such as antivirus filtering, spam filtering, application proxy filtering, etc.
g) What does it mean that a firewall should operate at wire speed?
Firewalls that operate at wire speed are able to filter traffic at the maximum speed of the network lines connected to it.
Firewall Filtering Mechanisms
3. a) Is there only one firewall filtering mechanism?
No
b) What filtering mechanisms do almost all main border firewalls use?
Stateful packet inspection.
c) Do SPI firewalls only do stateful packet inspection?
SPI firewalls can do more than just stateful packet inspection.
Static Packet Filtering
4. a) What are the two limitations of static packet filtering? Explain why each limitation is bad.
One limitation is by looking at only one packet at a time, static packet inspection does not stop attacks that can only be determined by knowing the packet’s place in a stream of traffic; no context is applied to the packet. For example, static packet inspection cannot protect against a TCP half-open DoS attack because it only examines individual packets, vice determining the state of a connection and a related (or not) packet.
The second limitation is by only inspecting certain fields of the Internet and transport headers, static packet inspection cannot stop attacks that utilize other portions of the packet. For example, attacks utilizing the data field of application messages will not be examined.
b) For what two reasons do companies not use static packet filtering as the main filtering mechanism in border firewalls today?
For the two reasons mentioned in the last question part.
c) In what two secondary ways do corporations sometimes use static packet filtering?
One way it that static packet filtering may be used as a secondary filtering mechanism on main border firewalls.
The other way is they may also be implemented in border routers, which lie between the Internet and the firewall.
Stateful Packet Inspection (SPI)
Basic Operation
5. a) What is a state?
A state is a distinct phase in a connection between two applications.
b) Are most packets part of the connection opening state or the ongoing communication state?
Most packets are part of the ongoing communication state.
c) Why is the answer to part b. important for stateful packet inspection’s efficiency?
SPI efficiency is based upon the two categories of states—because most packets belong to ongoing communication, a different (and less expensive) set of filters can be used compared to connection opening states which require more scrutiny, and thus are more expensive to deal with.
d) What is a connection?
A connection is a persistent conversation between different programs on different computers.
e) How is a connection between two programs on different computers represented?
A connection between two programs on different computers is represented by its socket (IP address: port).
Packets That Do Not Attempt to Open Connections
6. a) Give the simple stateful packet inspection firewall rule for packets that do not attempt to open connections.
When a packet arrives that does not attempt to open a connection, SPI firewall checks if it is part of a previously opened connection. If it is, then the packet is passed, usually without filtering. If it is not, the packet is dropped and logged.
b) Is SPI filtering for packets that are part of ongoing communications usually simple and inexpensive? Explain.
Yes, simply because if the packet is part of an existing connection in the connection table, the packet is passed, usually without further filtering. If it is not part of an existing connection in the connection table, it is dropped and logged.
c) UDP is connectionless. How is it possible for an SPI firewall to handle UDP connections?
SPI firewalls can treat UDP communications as if they were stateful by treating some certain UDP messages as connection opening attempts. If subsequent messages match the connection table for the UDP packet, the incoming UDP packet will be passed.
Packets That Do Attempt to Open a Connection
7. Give the two simple default SPI firewall rules for packets that attempt to open connections.
Permit all attempts to open a connection from an internal host to an external host.
Deny all attempts from external hosts to open a connection with an internal host.
Access Control Lists (ACLs) for Connection-Opening Attempts
8. a) For stateful packet inspection firewalls, what do ingress ACLs permit in general?
Ingress ACLs typically permit a specific type of externally originated connection to network resources.
b) What do egress ACLs disallow in general in SPI firewalls?
SPI firewall egress ACLs disallows communication between internal and external hosts in specific ways. For example, an egress ACL can prevent ICMP echo reply messages from internal hosts from exiting the network.
c) What do well-known port numbers designate?
Well-known port numbers designate specific applications running on a server.
d) Is Figure 6-10 an ACL for ingress filtering or egress filtering?
Ingress filtering.
e) Why is Rule 2 in Figure 6-10 safer than Rule 1?
Rule 2 is safer than rule 1 because Rule 2 allows a connection to only a specific SMTP mail server while Rule 1 allows connections to all internal webservers. More limited access is safer than broader access,
f) Which rule in the ACL in Figure 6-10 represents the default behavior of SPI firewalls for ingress connection-opening attempts?
Rule 3, deny all connections, represents the default SPI rule for ingress connection opening attempts.
9. Given the ACL in Figure 6-10, what would the firewall do with an incoming ICMP echo message? (This will require some thought. Think about how ICMP messages are encapsulated and what field in the IP header indicates that the packet’s data field contains an ICMP message.)
An incoming ICMP Echo message is a layer 3, connectionless message. The firewall using the ACL in Figure 6-10 would disallow the ICMP message because it does not meet Rule 1 or 2, so it would apply rule 3—deny.
10. Redo the ACL in Figure 6-10 to add rules for the following conditions. After Rule 1, create a rule that permits all connections to internal DNS servers. After the original Rule 2, create rules that permit connections to all Trivial File Transfer Protocol (TFTP) servers and that permit access to FTP Server 60.33.17.1. (Hint: Only allow an FTP supervisory connection; the SPI firewall will later open data connections automatically as needed.)
If TCP destination port = 80 or 443, then allow
If TCP destination port = 53, then allow
If TCP destination port = 25 AND destination IP = 60.47.3.35, then allow
If TCP destination port = 21 AND destination IP = 60.33.17.1, then allow
Disallow all connections
11. a) In ingress and egress filtering, does an SPI firewall always consider its ACL rules when a new packet arrives that attempts to open a connection?
SPI firewalls always executes the ACL.
b) In ingress and egress filtering, does an SPI firewall always consider its ACL rules when a new packet arrives that does not attempt to open a connection? (The answer was not specifically in this section.)
No
12. a) Why are stateful packet inspection firewalls inexpensive?
Stateful packet inspection firewalls are inexpensive because most packets are not connection opening requests; determining whether to drop or pass a packet requires a simple connection table lookup which is fast and cheap.
b) In practice, are they fairly safe?
Yes, in practice they are fairly safe.
c) Are SPI firewalls limited to SPI filtering?
No, they can implement other protections as well.
d) What firewall inspection mechanism do nearly all main border firewalls today use?
Nearly all main border firewall today use stateful packet inspection.
Network Address Translation (NAT)
Sniffers
NAT Operation
Perspective on NAT
13. a) When NAT is used, why can sniffers not learn anything about the internal IP addresses of internal hosts?
Because when using NAT firewalls, the IP address and port addresses of hosts are translated. Attackers can only see the translated IP addresses and port numbers.
b) Why does NAT stop scanning probes?
Scanning probes are based on IP addresses and port numbers. Sniffers can only read translated IP addresses and port numbers, and these become invalid when connections end. If an attacker acts quickly, it can use translated information, but it is very difficult to act quickly.
c) Why is NAT traversal necessary?
NAT traversal is necessary so that applications that require true internal IP addresses and port numbers can still work when companies use NAT.
d) Is a NAT traversal method easy to select?
No, selecting them can be complex because there are many NAT traversal methods and all have limitations.
Application Proxy Firewalls and Application Content Filtering
Application Proxy Firewall Operation
14. a) What distinguishes an application proxy firewall from static packet filtering firewalls and SPI firewalls?
Application proxy firewalls examine application messages whereas static packet filtering does not and SPI firewalls do not in general.
b) Distinguish between proxy programs and application proxy firewalls.
An application firewall has an application proxy program for each application it will filter.
c) If you will proxy four different applications, how many proxy programs will you need?
You will need four separate proxy programs.
d) How many application proxy firewalls will you need at a minimum?
One application proxy firewall can support multiple proxy application programs, so you will need at least one application proxy firewall to support the four proxy programs.
e) Can nearly all applications be proxied?
Only a few applications can be proxied. Most application proxies are HTTP or SMTP.
f) Why is application proxy firewall operation processing intensive?
Application proxy firewall operation is processing intensive because it must maintain two connections for each client/server pair.
g) Why do firms not use application proxy firewalls as main border firewalls?
Because of the high processing load required to maintain the number of connections required by an application proxy firewall, they are not used as border firewalls. They simply would not be able to handle the traffic load.
h) What are the two main roles of application proxy server firewalls today?
Protect internal clients from malicious external servers by forcing all client connections through the proxy which examines the application content of all packets.
Sit between an internal server and external clients to protect the server by examining the application layer content of all incoming client requests for dangerous behavior.
Application Content Filtering in Stateful Packet Inspection Firewalls
15. a) Do stateful packet inspection firewalls automatically do application content filtering? Explain.
No, application content filtering is seen as an extra feature because stateful packet inspection firewalls don’t have to implement relay operation as application firewalls do.
b) Do they have the slow speed of relay operation?
No, they do not do relay operation, so they do not suffer the slow speed of relay operation.
c) What three advantages do application proxy firewalls have in protection that SPI firewalls with content inspection do not have?
Application proxy firewalls always examine application layer content, are more capable of application layer content filtering and use relay operation with two connections per client/server pair.
d) Why are SPI content filtering firewalls faster than application proxy firewalls?
They do not use relay operation.
Application Proxy Firewall Protections
16. a) What filtering actions were listed to protect clients from malicious webservers?
First, the proxy can inspect the URL and compare it with a table of black-listed URLs that are known phishing, pornography, or recreational sites.
Second, the proxy can inspect scripts in downloaded webpages, dropping these webpages if the scripts appear to be malicious or if policies prohibit either certain types of scripts or all scripts.
Finally, the proxy can inspect the MIME type in an HTTP response message. Files with certain MIME types might be allowed or dropped by policy.
b) What filtering action was mentioned to prevent internal client misbehavior in HTTP?
The filtering action that prevents internal client misbehavior in HTTP is for the HTTP proxy to examine outgoing packets from the internal client to the external webserver to detect client misbehavior. For example, the proxy can inspect the method in the URL header; whereas the HTTP GET method is generally safe, the POST method can send files out of the firm. Many firms drop any HTTP request message that uses the POST method in order to provide extrusion prevention.
c) What two filtering actions were mentioned for protecting webservers from malicious clients?
First, the proxy can inspect the method in the URL header. The POST method will allow clients to upload files to the webserver. This might be disallowed by policy to prevent clients from uploading malware, pornography, or any other type of unimproved content.
Second, the HTTP proxy can filter out HTTP request messages that appear to contain SQL injection attacks.
d) What three automatic protections do application proxy firewalls provide simply because of the way in which they operate?
The three automatic protections of application proxy firewalls are internal IP address hiding, header destruction, and protocol fidelity.
Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs)
Intrusion Detection Systems (IDSs)
17. a) Distinguish between firewalls and IDSs.
Firewalls only stop and log provable attack packets. IDSs identify suspicious packets that may or may not be part of an attack and alert network administrators of potential threats but do not drop suspicious packets.
b) Why are IDS alarms often a problem?
IDS alarms are often a problem because they tend to generate far too many false alarms or false positives. IDSs tend to be ignored after exhausted security staff members receive too many false alarms.
c) What is a false positive?
A false positive is when an IDS issues an alarm for legitimate traffic. Another term is false alarm.
d) What two types of filtering do IDSs use?
The two types of filtering IDSs use are deep Packet inspection and packet stream analysis.
e) Why is deep packet inspection important?
This is important because it looks at all fields in the packet, including the IP header, the TCP or UDP header, and the application message. Many attacks cannot be stopped if a firewall only looks at application content or only at Internet and transport layer headers.
f) Why is deep packet inspection processing intensive?
Deep packet inspection is processing intensive because it looks at every field in the packet, which takes more time and processing power.
g) Why is packet stream analysis important?
Packet stream analysis is important because single packets are not enough to determine certain types of attacks. For example, it takes multiple packets to determine if a network is being systematically scanned, or if a TCP half-open DOS attack is occurring.
h) Why does packet stream analysis place a heavy load on IDSs?
Packet stream analysis requires the IDS to reassemble or maintain and compare many packets in order to determine if an attack is taking place; the increased packet total and reassembly places a heavy processing load on IDS.
Intrusion Prevention Systems (IPSs)
18. a) Distinguish between IDSs and IPSs.
Intrusion prevention systems actually stop attacks rather than detecting them and send out alarms like IDSs do.
b) Why is the attack identification confidence spectrum important in deciding whether to allow IPSs to stop specific attacks?
Because IDSs offer many false positives and alarms, attack identification confidence spectrum allows the network security administrator to establish packet dropping policies that are based upon a degree of confidence in the certainty an attack is taking place.
IPS Actions
19. a) What two actions can IPSs take when they identify an attack?
The two actions taken by IPSs when identifying an attack are to simply drop the packet like a traditional firewall and to limit suspicious traffic to a certain percentage of the total bandwidth.
b) Which can be the most effective?
Dropping packets
c) Which can do the most damage?
Dropping packets is most dangerous, because it can lead to lost packets that are important to a firm’s operations (such as orders, payment processing, etc.).
Antivirus Filtering and Unified Threat Management (UTM)
20. a) How do firewalls and antivirus servers work together?
The packet will arrive at the firewall, and the firewall will decide what to do with it. To decide, the firewall will check its policy rules base. If the policy rules base says to pass a certain object to an antivirus server, the firewall will do so. Then the antivirus server will examine the object.
b) Are antivirus servers limited to looking for viruses? Explain.
Antivirus servers can do more than just look for viruses. They can scan for worms, rootkits, phishing, Trojan horses, spam, malicious scripts, and other types of malware.
c) What may the antivirus server do after it performs filtering?
After an antivirus server filters, it may drop the object, send it to the firewall to pass to the destination, or pass the object to the destination directly.
d) What type of firewall does both traditional firewall filtering and antivirus filtering use?
Unified Threat Management (UTM) firewalls provide both traditional and antivirus filtering. However, UTMs rarely offer best-of-breed services and should be considered for small offices only.
Firewall Architectures
Types of Firewalls
21. a) Why are screening routers used in a firewall architecture?
The screening border router stops simple high-volume attacks and ensures that responses to external scanning probes cannot reach an external attacker. It economically reduces the load on the main border firewall.
b) Why are internal firewalls desirable?
These are desirable because they control traffic flowing between different parts of the firm’s internal network. In contrast to border firewalls, they can stop internally generated attacks.
c) Why is it easier to create appropriate ACL rules for server host firewalls than for border firewalls?
Most servers only have a single application or a few applications. It is easier to develop specific rules for a few applications than to develop rules for all internal hosts.
d) How does the use of border, internal, and host firewalls provide defense in depth?
Their use provides defense in depth because if the main border firewall or an internal firewall has an ACL configuration error, individual hosts will still be protected.
The Demilitarized Zone (DMZ)
22. a) What is a tri-homed router?
It is a router that connects to three subnets. A tri-homed firewall has one connection to the internal network, one to the DMZ, and one to the border router (leading to the Internet).
b) What is a DMZ?
The DMZ (Demilitarized Zone) is a subnet that contains all of the servers and application proxy firewalls that must be accessible to the outside world.
c) Why do companies use DMZs?
All externally initiated attempts must go to hosts in the DMZ. This permits companies to focus special attention on these hosts, which are under frequent external attack. It also keeps attackers from attacking internal hosts.
d) What three types of hosts are placed in the DMZ?
Public servers, application proxy firewalls, and external DNS servers
e) Why do companies put public servers in the DMZ?
To place all hosts that must be available to the outside world in a single place where protection can be concentrated. This also ensures that no externally initiated connections go to internal hosts.
f) Why do companies put application proxy firewalls in the DMZ?
Because they enforce a policy that all communication with the outside world must pass through the DMZ.
g) What host names does the external DNS server know?
The external DNS server will only know the host name information for computers in the DMZ.
h) Why do all hosts in the DMZ have to be hardened stringently?
DMZ hosts must be hardened stringently because they will be accessible to the outside world and will be frequently attacked.
Firewall Management
Defining Firewall Polices
23. a) Distinguish between firewall policies and ACL rules.
Firewall policies are high-level statements that reflect corporate security policies and guide firewall implementers. ACL rules are the implementations of the firewall policies at the firewall and are very specific.
b) Why is creating firewall policies desirable compared to just creating a list of ACL rules?
Creating firewall policies is more desirable than just creating a list of ACL rules because policies should be clearly understood in plain English while allowing for the firewall administrator to implement ACL rules that fit the policies with maximum efficiency and lowest cost. It is always smart to state the requirement first and the technical implementation follows; this prevents locking a network into antiquated equipment or techniques.
c) Create three firewall policies not listed in the text.
Allow the database server at Company A (that supplies critical parts to the company) to connect to the corporate database for inventories.
Only allow secure FTP connections.
Log all large (>1MB) file transfers.
Stop all inbound and outbound ICMP messages Drop inbound connections to TCP port 445 from hosts 192.168.4.0–192.168.20.255
Implementation
24. a) Compare firewall hardening needs for firewall appliances, vendor-provided systems, and firewalls built on general-purpose computers.
For firewall appliances, a firm simply installs the appliance between its Internet access router and its internal network. Operation is largely automatic. Firewall appliances are hardened at the factory.
Firewall vendors often sell firewall computers that have prehardened versions of UNIX or Windows. These limit the ability of organization to make mistakes in hardening the operating system.
Strong actions must be taken to harden the firewalls on general-purpose computers if the firm purchases the computer and installs the firewall software itself.
b) List what centralized firewall management systems do.
Centralized firewall management systems use a firewall policy management server to centrally control many firewalls to ensure consistency and save time and money in firewall administration. It converts policies to ACLs ad sends these ACLs to individual servers.
c) What columns does the firewall policy database described in the text contain? Be able to describe each and what options it offers.
Policy number (self-explanatory): each policy has a unique number.
Source and destination: can be host names, groups of IP addresses, subnets, etc. The firewall administrator must manually define groups.
Service: describes the service to be filtered (TCP http, UDP dns, ICMP, etc.)
Action: tells what to do—usually pass, drop, authenticate.
Track: tells what the firewall should do after the action (log, nothing, alert, etc.)
Firewalls: designates which firewall routers should be sent ACLs based upon this policy.
d) Why is vulnerability testing necessary?
ACLs are complex, based upon complex firewall policies that are not easy to translate to ACLs. Vulnerability testing is required to ensure errors in ACL creation are detected and fixed.
e) Why should firewall policies govern both configuration and testing?
If firewall policies govern both, then testers can create tests based on policies. If tests fail, then either the configuration or the test violated the policy. The firm must decide which is wrong.
f) What are the steps in firewall change management?
First, only certain people are allowed to request changes. Fewer should be allowed to approve changes. The requestor must be different from the approver.
Second, firewall changes should be implemented in the most restrictive manner that will pass the smallest number of additional packets.
Third, the change should be documented carefully and completely.
Fourth, the firewall should be vulnerability tested after each change to make sure the change works and that all of the previous behavior is intact.
Fifth, the company should audit the change process frequently to ensure compliance with procedures.
g) Why is reading firewall logs important?
To develop an understanding of the changing threat environment. It will also help to determine what traffic is unusual.
h) What is the most time-consuming part of firewall management?
The most time-consuming part of firewall management is reading firewall logs.
Reading Firewall Logs
25. a) What packets are usually logged in log files?
Dropped packets from firewalls are usually logged in log files.
b) What are the fields in the log file shown in Figure 6-25?
ID number for the packet dropping event.
Time: time packet arrived at the firewall.
Rule: the rule that caused the packet to be dropped.
Source and destination IP addresses found in the dropped packet.
Service: service requested in the dropped packet
c) In the examples given, by what field was the log file sorted?
In figure 6-25, the log file is sorted by ID number.
The log file is sorted by the time field at which the packet arrived at the firewall.
d) From the log file, what could we infer about the echo probe attack?
The log file shows that a majority of the echo probes are coming from the same IP (14.17.3.139) targeting successive client IP addresses. It appears the attacker is trying to map the internal network based upon receiving echo request reply messages.
e) Did this attack seem to be serious? Explain.
The attack does not seem to be serious. This appears to be an attacker trying to map a network for IP addresses and host OS. The more serious attacks could be coming after the mapping.
f) From the log file, what could we infer about the FTP attack?
It appears that the primary target of the FTP attack is the .56 server. The source IP addresses are never the same, but does include the 14.17.3.139 host that is trying to map the network. It is possible the attacker is trying to access the FTP server using several zombie machines.
g) Did this attack seem to be serious? Explain.
This attack is more serious than the echo mapping attack because it is targeting a specific host with multiple different computers. The attacker knows there is a server at that IP address and is trying to gain access via multiple captured hosts.
h) Why was the dropping of a single packet because of lack of firewall capacity a cause for concern?
Dropping any packets in such a short capture because of lack of capacity indicates that there is insufficient firewall capacity that must be addressed immediately.
i) What cannot be determined if log files cover too short a period of time?
If the log files cover too short a period of time, you lose the ability to examine attacks that take place over a considerable period of time.
j) Why is it difficult for a log file to cover a long period of time?
It is difficult for a log file to cover a long period of time because long log files require a great deal of disk capacity.
k) What is the advantage of logging all packets passing through a firewall?
A firm can see packets from an attacker that were not dropped by the firewall because it could not identify them as provable attack packets.
l) Why is logging all packets problematic?
Logging all packets makes for very large log files, which means the period of logging is shorter for the same amount of log storage capacity than if only provable attack packets are logged.
Difficult Problems for Firewall Filtering
The Death of the Perimeter
26. a) How can attackers avoid the border firewall?
Attackers can avoid the border firewall by becoming an internal attacker, attack internal hosts not protected by the border firewall, or enter or attack though a wireless access point.
b) How has the perimeter extended outside the site?
It has extended outside the site by remote employees given access
Consultants, outsources, customers, suppliers, and other subsidiaries must be given access
Essentially, all of these tend to use VPNs to make external parties “internal” to your site.
c) How can firms react to this decline in the effectiveness of border firewall filtering?
Firms will have to increasingly rely upon hardening internal hosts against attacks as the effectiveness of the border firewall declines.
Attack Signatures versus Anomaly Detection
27. a) Distinguish between signature detection and anomaly detection.
Signature detection relies upon a unique pattern in the network traffic to identify the threat (like an attack fingerprint). Anomaly detection looks at traffic patterns for deviations from set norms to identify possible attacks.
b) What is a zero-day attack?
A zero-day attack is one that is made before attack signatures for the threat are defined for firewalls and antivirus programs to use.
c) Why are zero-day attacks impossible to stop with attack signatures?
Zero-day attacks do not yet have attack signatures, therefore firewalls and antivirus programs will not be able to detect the attack.
d) What is the promise of anomaly detection?
The promise of anomaly detection is that they could stop attacks without known attack signatures, such as zero-day attacks.
e) Why is anomaly detection becoming critical for firewalls?
Because given the speed with which vulnerability exploits, worms, and viruses are beginning to spread, depending on attack signatures is not reliable, so anomaly detection is essential in firewalls today.
1. a) What is a pass/deny decision?
When the firewall receives a packet, it must decide whether to pass the packet or drop it.
b) What type of packet does a firewall drop and log?
Firewalls will drop and log a provable attack packet.
c) What does the firewall do about packets that it suspects (but cannot prove) are attack packets?
It will pass the packet because it’s not a provable attack packet.
d) Why does the firewall log information about dropped packets?
To keep a record of it for later analysis.
e) Distinguish between border firewalls and internal firewalls.
Border firewalls sit at the boundary between the corporate site and the external Internet. Internal firewalls filter traffic passing between different parts of the site’s internal network.
f) Distinguish between ingress and egress filtering.
In ingress filtering, the firewall examines packets entering the network from the outside, typically from the Internet. The purpose of ingress filtering is to stop attack packets from entering the firm’s internal network.
In egress filtering, in turn, the firewall filters packets when they are leaving the network. This prevents replies to probe packets from leaving the network.
The Danger of Traffic Overload
2. a) What does a firewall do if it cannot keep up with the traffic volume?
It will drop all the packets it cannot process.
b) Why is this action good?
This action is good because the firewall will drop all packets not examined, not allowing unexamined attack packets into the network.
c) Why is this action bad?
This action is bad because valid, non-attack packets will be dropped and effectively create a self-generated DoS attack.
d) Why can a firewall keep up with traffic in general but fail to do so during a major attack?
Firewalls are only able to filter traffic at wire speed which is the maximum speed of the lines that connect to it.
e) As processing power increases in the future, what will this mean for firewall filtering?
It means that firewalls will be able to do ever more sophisticated processing.
f) What is unified threat management (UTM)?
Unified threat management (UTM) consists of a firewall handling all traditional firewall functions (SPI, ACLs, etc.) as well as additional security functions such as antivirus filtering, spam filtering, application proxy filtering, etc.
g) What does it mean that a firewall should operate at wire speed?
Firewalls that operate at wire speed are able to filter traffic at the maximum speed of the network lines connected to it.
Firewall Filtering Mechanisms
3. a) Is there only one firewall filtering mechanism?
No
b) What filtering mechanisms do almost all main border firewalls use?
Stateful packet inspection.
c) Do SPI firewalls only do stateful packet inspection?
SPI firewalls can do more than just stateful packet inspection.
Static Packet Filtering
4. a) What are the two limitations of static packet filtering? Explain why each limitation is bad.
One limitation is by looking at only one packet at a time, static packet inspection does not stop attacks that can only be determined by knowing the packet’s place in a stream of traffic; no context is applied to the packet. For example, static packet inspection cannot protect against a TCP half-open DoS attack because it only examines individual packets, vice determining the state of a connection and a related (or not) packet.
The second limitation is by only inspecting certain fields of the Internet and transport headers, static packet inspection cannot stop attacks that utilize other portions of the packet. For example, attacks utilizing the data field of application messages will not be examined.
b) For what two reasons do companies not use static packet filtering as the main filtering mechanism in border firewalls today?
For the two reasons mentioned in the last question part.
c) In what two secondary ways do corporations sometimes use static packet filtering?
One way it that static packet filtering may be used as a secondary filtering mechanism on main border firewalls.
The other way is they may also be implemented in border routers, which lie between the Internet and the firewall.
Stateful Packet Inspection (SPI)
Basic Operation
5. a) What is a state?
A state is a distinct phase in a connection between two applications.
b) Are most packets part of the connection opening state or the ongoing communication state?
Most packets are part of the ongoing communication state.
c) Why is the answer to part b. important for stateful packet inspection’s efficiency?
SPI efficiency is based upon the two categories of states—because most packets belong to ongoing communication, a different (and less expensive) set of filters can be used compared to connection opening states which require more scrutiny, and thus are more expensive to deal with.
d) What is a connection?
A connection is a persistent conversation between different programs on different computers.
e) How is a connection between two programs on different computers represented?
A connection between two programs on different computers is represented by its socket (IP address: port).
Packets That Do Not Attempt to Open Connections
6. a) Give the simple stateful packet inspection firewall rule for packets that do not attempt to open connections.
When a packet arrives that does not attempt to open a connection, SPI firewall checks if it is part of a previously opened connection. If it is, then the packet is passed, usually without filtering. If it is not, the packet is dropped and logged.
b) Is SPI filtering for packets that are part of ongoing communications usually simple and inexpensive? Explain.
Yes, simply because if the packet is part of an existing connection in the connection table, the packet is passed, usually without further filtering. If it is not part of an existing connection in the connection table, it is dropped and logged.
c) UDP is connectionless. How is it possible for an SPI firewall to handle UDP connections?
SPI firewalls can treat UDP communications as if they were stateful by treating some certain UDP messages as connection opening attempts. If subsequent messages match the connection table for the UDP packet, the incoming UDP packet will be passed.
Packets That Do Attempt to Open a Connection
7. Give the two simple default SPI firewall rules for packets that attempt to open connections.
Permit all attempts to open a connection from an internal host to an external host.
Deny all attempts from external hosts to open a connection with an internal host.
Access Control Lists (ACLs) for Connection-Opening Attempts
8. a) For stateful packet inspection firewalls, what do ingress ACLs permit in general?
Ingress ACLs typically permit a specific type of externally originated connection to network resources.
b) What do egress ACLs disallow in general in SPI firewalls?
SPI firewall egress ACLs disallows communication between internal and external hosts in specific ways. For example, an egress ACL can prevent ICMP echo reply messages from internal hosts from exiting the network.
c) What do well-known port numbers designate?
Well-known port numbers designate specific applications running on a server.
d) Is Figure 6-10 an ACL for ingress filtering or egress filtering?
Ingress filtering.
e) Why is Rule 2 in Figure 6-10 safer than Rule 1?
Rule 2 is safer than rule 1 because Rule 2 allows a connection to only a specific SMTP mail server while Rule 1 allows connections to all internal webservers. More limited access is safer than broader access,
f) Which rule in the ACL in Figure 6-10 represents the default behavior of SPI firewalls for ingress connection-opening attempts?
Rule 3, deny all connections, represents the default SPI rule for ingress connection opening attempts.
9. Given the ACL in Figure 6-10, what would the firewall do with an incoming ICMP echo message? (This will require some thought. Think about how ICMP messages are encapsulated and what field in the IP header indicates that the packet’s data field contains an ICMP message.)
An incoming ICMP Echo message is a layer 3, connectionless message. The firewall using the ACL in Figure 6-10 would disallow the ICMP message because it does not meet Rule 1 or 2, so it would apply rule 3—deny.
10. Redo the ACL in Figure 6-10 to add rules for the following conditions. After Rule 1, create a rule that permits all connections to internal DNS servers. After the original Rule 2, create rules that permit connections to all Trivial File Transfer Protocol (TFTP) servers and that permit access to FTP Server 60.33.17.1. (Hint: Only allow an FTP supervisory connection; the SPI firewall will later open data connections automatically as needed.)
If TCP destination port = 80 or 443, then allow
If TCP destination port = 53, then allow
If TCP destination port = 25 AND destination IP = 60.47.3.35, then allow
If TCP destination port = 21 AND destination IP = 60.33.17.1, then allow
Disallow all connections
11. a) In ingress and egress filtering, does an SPI firewall always consider its ACL rules when a new packet arrives that attempts to open a connection?
SPI firewalls always executes the ACL.
b) In ingress and egress filtering, does an SPI firewall always consider its ACL rules when a new packet arrives that does not attempt to open a connection? (The answer was not specifically in this section.)
No
12. a) Why are stateful packet inspection firewalls inexpensive?
Stateful packet inspection firewalls are inexpensive because most packets are not connection opening requests; determining whether to drop or pass a packet requires a simple connection table lookup which is fast and cheap.
b) In practice, are they fairly safe?
Yes, in practice they are fairly safe.
c) Are SPI firewalls limited to SPI filtering?
No, they can implement other protections as well.
d) What firewall inspection mechanism do nearly all main border firewalls today use?
Nearly all main border firewall today use stateful packet inspection.
Network Address Translation (NAT)
Sniffers
NAT Operation
Perspective on NAT
13. a) When NAT is used, why can sniffers not learn anything about the internal IP addresses of internal hosts?
Because when using NAT firewalls, the IP address and port addresses of hosts are translated. Attackers can only see the translated IP addresses and port numbers.
b) Why does NAT stop scanning probes?
Scanning probes are based on IP addresses and port numbers. Sniffers can only read translated IP addresses and port numbers, and these become invalid when connections end. If an attacker acts quickly, it can use translated information, but it is very difficult to act quickly.
c) Why is NAT traversal necessary?
NAT traversal is necessary so that applications that require true internal IP addresses and port numbers can still work when companies use NAT.
d) Is a NAT traversal method easy to select?
No, selecting them can be complex because there are many NAT traversal methods and all have limitations.
Application Proxy Firewalls and Application Content Filtering
Application Proxy Firewall Operation
14. a) What distinguishes an application proxy firewall from static packet filtering firewalls and SPI firewalls?
Application proxy firewalls examine application messages whereas static packet filtering does not and SPI firewalls do not in general.
b) Distinguish between proxy programs and application proxy firewalls.
An application firewall has an application proxy program for each application it will filter.
c) If you will proxy four different applications, how many proxy programs will you need?
You will need four separate proxy programs.
d) How many application proxy firewalls will you need at a minimum?
One application proxy firewall can support multiple proxy application programs, so you will need at least one application proxy firewall to support the four proxy programs.
e) Can nearly all applications be proxied?
Only a few applications can be proxied. Most application proxies are HTTP or SMTP.
f) Why is application proxy firewall operation processing intensive?
Application proxy firewall operation is processing intensive because it must maintain two connections for each client/server pair.
g) Why do firms not use application proxy firewalls as main border firewalls?
Because of the high processing load required to maintain the number of connections required by an application proxy firewall, they are not used as border firewalls. They simply would not be able to handle the traffic load.
h) What are the two main roles of application proxy server firewalls today?
Protect internal clients from malicious external servers by forcing all client connections through the proxy which examines the application content of all packets.
Sit between an internal server and external clients to protect the server by examining the application layer content of all incoming client requests for dangerous behavior.
Application Content Filtering in Stateful Packet Inspection Firewalls
15. a) Do stateful packet inspection firewalls automatically do application content filtering? Explain.
No, application content filtering is seen as an extra feature because stateful packet inspection firewalls don’t have to implement relay operation as application firewalls do.
b) Do they have the slow speed of relay operation?
No, they do not do relay operation, so they do not suffer the slow speed of relay operation.
c) What three advantages do application proxy firewalls have in protection that SPI firewalls with content inspection do not have?
Application proxy firewalls always examine application layer content, are more capable of application layer content filtering and use relay operation with two connections per client/server pair.
d) Why are SPI content filtering firewalls faster than application proxy firewalls?
They do not use relay operation.
Application Proxy Firewall Protections
16. a) What filtering actions were listed to protect clients from malicious webservers?
First, the proxy can inspect the URL and compare it with a table of black-listed URLs that are known phishing, pornography, or recreational sites.
Second, the proxy can inspect scripts in downloaded webpages, dropping these webpages if the scripts appear to be malicious or if policies prohibit either certain types of scripts or all scripts.
Finally, the proxy can inspect the MIME type in an HTTP response message. Files with certain MIME types might be allowed or dropped by policy.
b) What filtering action was mentioned to prevent internal client misbehavior in HTTP?
The filtering action that prevents internal client misbehavior in HTTP is for the HTTP proxy to examine outgoing packets from the internal client to the external webserver to detect client misbehavior. For example, the proxy can inspect the method in the URL header; whereas the HTTP GET method is generally safe, the POST method can send files out of the firm. Many firms drop any HTTP request message that uses the POST method in order to provide extrusion prevention.
c) What two filtering actions were mentioned for protecting webservers from malicious clients?
First, the proxy can inspect the method in the URL header. The POST method will allow clients to upload files to the webserver. This might be disallowed by policy to prevent clients from uploading malware, pornography, or any other type of unimproved content.
Second, the HTTP proxy can filter out HTTP request messages that appear to contain SQL injection attacks.
d) What three automatic protections do application proxy firewalls provide simply because of the way in which they operate?
The three automatic protections of application proxy firewalls are internal IP address hiding, header destruction, and protocol fidelity.
Intrusion Detection Systems (IDSs) and Intrusion Prevention Systems (IPSs)
Intrusion Detection Systems (IDSs)
17. a) Distinguish between firewalls and IDSs.
Firewalls only stop and log provable attack packets. IDSs identify suspicious packets that may or may not be part of an attack and alert network administrators of potential threats but do not drop suspicious packets.
b) Why are IDS alarms often a problem?
IDS alarms are often a problem because they tend to generate far too many false alarms or false positives. IDSs tend to be ignored after exhausted security staff members receive too many false alarms.
c) What is a false positive?
A false positive is when an IDS issues an alarm for legitimate traffic. Another term is false alarm.
d) What two types of filtering do IDSs use?
The two types of filtering IDSs use are deep Packet inspection and packet stream analysis.
e) Why is deep packet inspection important?
This is important because it looks at all fields in the packet, including the IP header, the TCP or UDP header, and the application message. Many attacks cannot be stopped if a firewall only looks at application content or only at Internet and transport layer headers.
f) Why is deep packet inspection processing intensive?
Deep packet inspection is processing intensive because it looks at every field in the packet, which takes more time and processing power.
g) Why is packet stream analysis important?
Packet stream analysis is important because single packets are not enough to determine certain types of attacks. For example, it takes multiple packets to determine if a network is being systematically scanned, or if a TCP half-open DOS attack is occurring.
h) Why does packet stream analysis place a heavy load on IDSs?
Packet stream analysis requires the IDS to reassemble or maintain and compare many packets in order to determine if an attack is taking place; the increased packet total and reassembly places a heavy processing load on IDS.
Intrusion Prevention Systems (IPSs)
18. a) Distinguish between IDSs and IPSs.
Intrusion prevention systems actually stop attacks rather than detecting them and send out alarms like IDSs do.
b) Why is the attack identification confidence spectrum important in deciding whether to allow IPSs to stop specific attacks?
Because IDSs offer many false positives and alarms, attack identification confidence spectrum allows the network security administrator to establish packet dropping policies that are based upon a degree of confidence in the certainty an attack is taking place.
IPS Actions
19. a) What two actions can IPSs take when they identify an attack?
The two actions taken by IPSs when identifying an attack are to simply drop the packet like a traditional firewall and to limit suspicious traffic to a certain percentage of the total bandwidth.
b) Which can be the most effective?
Dropping packets
c) Which can do the most damage?
Dropping packets is most dangerous, because it can lead to lost packets that are important to a firm’s operations (such as orders, payment processing, etc.).
Antivirus Filtering and Unified Threat Management (UTM)
20. a) How do firewalls and antivirus servers work together?
The packet will arrive at the firewall, and the firewall will decide what to do with it. To decide, the firewall will check its policy rules base. If the policy rules base says to pass a certain object to an antivirus server, the firewall will do so. Then the antivirus server will examine the object.
b) Are antivirus servers limited to looking for viruses? Explain.
Antivirus servers can do more than just look for viruses. They can scan for worms, rootkits, phishing, Trojan horses, spam, malicious scripts, and other types of malware.
c) What may the antivirus server do after it performs filtering?
After an antivirus server filters, it may drop the object, send it to the firewall to pass to the destination, or pass the object to the destination directly.
d) What type of firewall does both traditional firewall filtering and antivirus filtering use?
Unified Threat Management (UTM) firewalls provide both traditional and antivirus filtering. However, UTMs rarely offer best-of-breed services and should be considered for small offices only.
Firewall Architectures
Types of Firewalls
21. a) Why are screening routers used in a firewall architecture?
The screening border router stops simple high-volume attacks and ensures that responses to external scanning probes cannot reach an external attacker. It economically reduces the load on the main border firewall.
b) Why are internal firewalls desirable?
These are desirable because they control traffic flowing between different parts of the firm’s internal network. In contrast to border firewalls, they can stop internally generated attacks.
c) Why is it easier to create appropriate ACL rules for server host firewalls than for border firewalls?
Most servers only have a single application or a few applications. It is easier to develop specific rules for a few applications than to develop rules for all internal hosts.
d) How does the use of border, internal, and host firewalls provide defense in depth?
Their use provides defense in depth because if the main border firewall or an internal firewall has an ACL configuration error, individual hosts will still be protected.
The Demilitarized Zone (DMZ)
22. a) What is a tri-homed router?
It is a router that connects to three subnets. A tri-homed firewall has one connection to the internal network, one to the DMZ, and one to the border router (leading to the Internet).
b) What is a DMZ?
The DMZ (Demilitarized Zone) is a subnet that contains all of the servers and application proxy firewalls that must be accessible to the outside world.
c) Why do companies use DMZs?
All externally initiated attempts must go to hosts in the DMZ. This permits companies to focus special attention on these hosts, which are under frequent external attack. It also keeps attackers from attacking internal hosts.
d) What three types of hosts are placed in the DMZ?
Public servers, application proxy firewalls, and external DNS servers
e) Why do companies put public servers in the DMZ?
To place all hosts that must be available to the outside world in a single place where protection can be concentrated. This also ensures that no externally initiated connections go to internal hosts.
f) Why do companies put application proxy firewalls in the DMZ?
Because they enforce a policy that all communication with the outside world must pass through the DMZ.
g) What host names does the external DNS server know?
The external DNS server will only know the host name information for computers in the DMZ.
h) Why do all hosts in the DMZ have to be hardened stringently?
DMZ hosts must be hardened stringently because they will be accessible to the outside world and will be frequently attacked.
Firewall Management
Defining Firewall Polices
23. a) Distinguish between firewall policies and ACL rules.
Firewall policies are high-level statements that reflect corporate security policies and guide firewall implementers. ACL rules are the implementations of the firewall policies at the firewall and are very specific.
b) Why is creating firewall policies desirable compared to just creating a list of ACL rules?
Creating firewall policies is more desirable than just creating a list of ACL rules because policies should be clearly understood in plain English while allowing for the firewall administrator to implement ACL rules that fit the policies with maximum efficiency and lowest cost. It is always smart to state the requirement first and the technical implementation follows; this prevents locking a network into antiquated equipment or techniques.
c) Create three firewall policies not listed in the text.
Allow the database server at Company A (that supplies critical parts to the company) to connect to the corporate database for inventories.
Only allow secure FTP connections.
Log all large (>1MB) file transfers.
Stop all inbound and outbound ICMP messages
Drop inbound connections to TCP port 445 from hosts 192.168.4.0–192.168.20.255
Implementation
24. a) Compare firewall hardening needs for firewall appliances, vendor-provided systems, and firewalls built on general-purpose computers.
For firewall appliances, a firm simply installs the appliance between its Internet access router and its internal network. Operation is largely automatic. Firewall appliances are hardened at the factory.
Firewall vendors often sell firewall computers that have prehardened versions of UNIX or Windows. These limit the ability of organization to make mistakes in hardening the operating system.
Strong actions must be taken to harden the firewalls on general-purpose computers if the firm purchases the computer and installs the firewall software itself.
b) List what centralized firewall management systems do.
Centralized firewall management systems use a firewall policy management server to centrally control many firewalls to ensure consistency and save time and money in firewall administration. It converts policies to ACLs ad sends these ACLs to individual servers.
c) What columns does the firewall policy database described in the text contain? Be able to describe each and what options it offers.
Policy number (self-explanatory): each policy has a unique number.
Source and destination: can be host names, groups of IP addresses, subnets, etc. The firewall administrator must manually define groups.
Service: describes the service to be filtered (TCP http, UDP dns, ICMP, etc.)
Action: tells what to do—usually pass, drop, authenticate.
Track: tells what the firewall should do after the action (log, nothing, alert, etc.)
Firewalls: designates which firewall routers should be sent ACLs based upon this policy.
d) Why is vulnerability testing necessary?
ACLs are complex, based upon complex firewall policies that are not easy to translate to ACLs. Vulnerability testing is required to ensure errors in ACL creation are detected and fixed.
e) Why should firewall policies govern both configuration and testing?
If firewall policies govern both, then testers can create tests based on policies. If tests fail, then either the configuration or the test violated the policy. The firm must decide which is wrong.
f) What are the steps in firewall change management?
First, only certain people are allowed to request changes. Fewer should be allowed to approve changes. The requestor must be different from the approver.
Second, firewall changes should be implemented in the most restrictive manner that will pass the smallest number of additional packets.
Third, the change should be documented carefully and completely.
Fourth, the firewall should be vulnerability tested after each change to make sure the change works and that all of the previous behavior is intact.
Fifth, the company should audit the change process frequently to ensure compliance with procedures.
g) Why is reading firewall logs important?
To develop an understanding of the changing threat environment. It will also help to determine what traffic is unusual.
h) What is the most time-consuming part of firewall management?
The most time-consuming part of firewall management is reading firewall logs.
Reading Firewall Logs
25. a) What packets are usually logged in log files?
Dropped packets from firewalls are usually logged in log files.
b) What are the fields in the log file shown in Figure 6-25?
ID number for the packet dropping event.
Time: time packet arrived at the firewall.
Rule: the rule that caused the packet to be dropped.
Source and destination IP addresses found in the dropped packet.
Service: service requested in the dropped packet
c) In the examples given, by what field was the log file sorted?
In figure 6-25, the log file is sorted by ID number.
The log file is sorted by the time field at which the packet arrived at the firewall.
d) From the log file, what could we infer about the echo probe attack?
The log file shows that a majority of the echo probes are coming from the same IP (14.17.3.139) targeting successive client IP addresses. It appears the attacker is trying to map the internal network based upon receiving echo request reply messages.
e) Did this attack seem to be serious? Explain.
The attack does not seem to be serious. This appears to be an attacker trying to map a network for IP addresses and host OS. The more serious attacks could be coming after the mapping.
f) From the log file, what could we infer about the FTP attack?
It appears that the primary target of the FTP attack is the .56 server. The source IP addresses are never the same, but does include the 14.17.3.139 host that is trying to map the network. It is possible the attacker is trying to access the FTP server using several zombie machines.
g) Did this attack seem to be serious? Explain.
This attack is more serious than the echo mapping attack because it is targeting a specific host with multiple different computers. The attacker knows there is a server at that IP address and is trying to gain access via multiple captured hosts.
h) Why was the dropping of a single packet because of lack of firewall capacity a cause for concern?
Dropping any packets in such a short capture because of lack of capacity indicates that there is insufficient firewall capacity that must be addressed immediately.
i) What cannot be determined if log files cover too short a period of time?
If the log files cover too short a period of time, you lose the ability to examine attacks that take place over a considerable period of time.
j) Why is it difficult for a log file to cover a long period of time?
It is difficult for a log file to cover a long period of time because long log files require a great deal of disk capacity.
k) What is the advantage of logging all packets passing through a firewall?
A firm can see packets from an attacker that were not dropped by the firewall because it could not identify them as provable attack packets.
l) Why is logging all packets problematic?
Logging all packets makes for very large log files, which means the period of logging is shorter for the same amount of log storage capacity than if only provable attack packets are logged.
Difficult Problems for Firewall Filtering
The Death of the Perimeter
26. a) How can attackers avoid the border firewall?
Attackers can avoid the border firewall by becoming an internal attacker, attack internal hosts not protected by the border firewall, or enter or attack though a wireless access point.
b) How has the perimeter extended outside the site?
It has extended outside the site by remote employees given access
Consultants, outsources, customers, suppliers, and other subsidiaries must be given access
Essentially, all of these tend to use VPNs to make external parties “internal” to your site.
c) How can firms react to this decline in the effectiveness of border firewall filtering?
Firms will have to increasingly rely upon hardening internal hosts against attacks as the effectiveness of the border firewall declines.
Attack Signatures versus Anomaly Detection
27. a) Distinguish between signature detection and anomaly detection.
Signature detection relies upon a unique pattern in the network traffic to identify the threat (like an attack fingerprint). Anomaly detection looks at traffic patterns for deviations from set norms to identify possible attacks.
b) What is a zero-day attack?
A zero-day attack is one that is made before attack signatures for the threat are defined for firewalls and antivirus programs to use.
c) Why are zero-day attacks impossible to stop with attack signatures?
Zero-day attacks do not yet have attack signatures, therefore firewalls and antivirus programs will not be able to detect the attack.
d) What is the promise of anomaly detection?
The promise of anomaly detection is that they could stop attacks without known attack signatures, such as zero-day attacks.
e) Why is anomaly detection becoming critical for firewalls?
Because given the speed with which vulnerability exploits, worms, and viruses are beginning to spread, depending on attack signatures is not reliable, so anomaly detection is essential in firewalls today.